DarkGate Malware Operators on a Phishing SpreeVectors Includes Teams Phishing and Malvertising
Advertising on Russian-language criminal forums is paying off for the author of the DarkGate malware as reflected by a spike in infections, including an unusual phishing campaign on Microsoft Teams to deliver the loader through HR-themed social engineering chat messages.
Cyber defenders first spotted the DarkGate commodity loader in 2018. Researchers from Deutsche Telekom in late August said the commodity loader's coder this summer began renting out the malware to a limited number of affiliates. "Before that, the malware was only used privately by the developer," the researchers said to explain the intensified email spamming campaign to lure victims into downloading DarkGate.
In June 2023, ZeroFox reported that someone claiming to be the original author of DarkGate had promoted access of the malware to just 10 people for an annual price of $100,000.
Researchers from TrueSec now said they've spotted threat actors abusing compromised Office 365 accounts to send phishing messages containing a DarkGate Loader malware on Microsoft Teams to an unnamed organization. The bait was a link to a SharePoint-hosted file named "Changes to the vacation schedule.zip." Microsoft Teams security features such as Safe Attachments and Safe Links did not detect or block the malicious attack, said TrueSec.
Researches from Kaspersky said DarkGate's capabilities include hidden VNC, Windows Defender exclusion, browser history stealing, reverse proxy, file management, and Discord token stealing. The features "go beyond typical downloader functionality," they wrote.
Malwarebytes in late August uncovered an additional vector of DarkGate infection: malvertising. Bad actors behind the dropper bought ads on the Google search engine. Victims who clicked on the advertising saw a fake webpage masquerading as a popular network scanning tool offering a download containing the legitimate app "but also some extra files," i.e., DarkGate.